This detection rule is designed to identify potential credential decryption operations that may be conducted using PowerShell or other unsigned processes through the loading of the Veeam.Backup.Common.dll library. This library is typically utilized by Veeam Backup software, which is crucial for data protection; however, attackers may target it to access backup credentials as part of larger attack frameworks such as Ransomware. The rule employs the EQL query language to monitor events where this specific library is loaded under circumstances that suggest malicious intent, such as when the loading process is untrusted or unsigned. Specific language constructs are used to filter for Windows-based hosts where the event action indicates a loading of the library, paired with conditions to ascertain whether the associated process is either untrusted, lacks a code signature, or is explicitly tied to PowerShell or similar scripting executables. Effective investigation guidance is provided for responding to alerts produced by this rule, detailing how to assess the legitimacy of the loading processes, detect false positives, and outline steps for incident response and remediation.